WinImage 8.10 vulnerabilities
Team Vexillium
Security Advisory
http://vexillium.org/
Name : WinImage 8.10 Multiple Vulnerabilities
Class : Denial of Service and Directory Traversal
Threat level : LOW (DoS), MED (Dir. traversal vuln)
Discovered : 2007-08-31
Published : 2007-09-15
Credit : j00ru//vx
Vulnerable : WinImage 8.10,
WinImage 8.0,
prior versions may also be affected
== Abstract ==
WinImage is an disc images' exploring application, with many
useful functions implemented, such as injecting/extracting files
from the data images, handling virtual machines' hard drives and so on.
The first vulnerability - Denial of Service - exists in the FAT image
handling function (mainly diskette image files are able to cause this kind
of application hang, but it's also possible that other image formats'
header modification may lead to such kind of program behaviour).
The succesful DoS attack is achieved by opening a special .IMG
file with its header modified. Because of bad FAT header handling,
the application may get into an infinite loop, so that the
only way is to terminate the process.
The second one - Directory Traversal vuln - was reported in .IMG
and .ISO images processing. There is no function to check whether
the filename or directory name consists a string like ".." etc
during the file extraction. In this case, extracting an image file
containing folders/files with malformed names, may be used to create a file or
directory in any location (specified by attacker) on the selected partition,
without
any user knowledge.
== Details ==
1. Denial of Service vulnerability
The DoS attack is very easy to carry out, it's just about modyfying
a few bytes in the diskette disc image - IMG file. The header value, that is
not beeing checked by WinImage is BPB_BytsPerSec, WORD (2 byte size)
at offset 11, as written in "Microsoft Extensible Firmware Initiative
FAT32 File System Specification".
The most important thing is clearly explained in the document:
"This value may take on only the following values: 512, 1024, 2048 or 4096."
There is no such condition in program processing the FAT header. Therefore,
we can change the value to any in the range of 0-65535. After the 2-byte
modification:
EB 3C 90 29 6C 75 68 64 49 48 43 00 {00 02} 01 00
--->
EB 3C 90 29 6C 75 68 64 49 48 43 00 {AA AA} 01 00
opening the changed file won't succeed, but the the application will hang
instead, getting into an infinite loop. To be more precise, the endless
loop looks like that:
.text:00415432 loc_415432: ; CODE XREF:
sub_415400+4Aj
.text:00415432 test eax, eax
.text:00415434 jbe short loc_41544C
.text:00415436 mov ecx, [esi+210h]
.text:0041543C add [ebx], ecx
.text:0041543E mov edi, eax
.text:00415440 call sub_4155C0
.text:00415445 cmp eax, 0FFFFFF0h
.text:0041544A jb short loc_415432
Having such modified file, the only thing to do is to convince somebody
to open it. This Denial of Service attack is not very harmful in fact,
although it's a typical header-based vulnerability, and is adviced to be
corrected.
Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dos_PoC.IMG
2. Directory Traversal vulnerability
An especially malformed disc image file (as before .IMG and .ISO files
processing
is vulnerable, but other formats' handling is also likely to be vulnerable) may
contain a directory/file name with an upwards dir traversal string inside,
such as:
readme.txt/../../../../../../../../sth.bat
During extraction a file named like this, WinImage should create "sth.bat" on
the
partition root rather then expected "readme.txt" in the specified path. In that
case,
it's even possible to extract a file with any name we want, to any location we
choose.
For example, exploiting this vulnerability may lead to extracton a .BAT file to
the
Autostart directory on the Windows installation partition.
Another important thing is that the real file name/path of file can be hidden
by making it look like:
readme.txt
/../../../../../../../../asdf.exe
It's same situation with folders. If one directory name is, for example,
"../../../../../../../../asdf", then all the subdirectories and files
will be extracted to folder named "asdf", created on the root of
partition.
Both file and directory name modifications are shown in the
PoC file provided (TEST1, TEST2 folders).
Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dir_PoC.IMG
== Solution ==
1. Denial of Service vulnerability
The best way to get rid of the ability to get WinImage hang, is adding
a function to check the BPB_BytsPerSec value, and inform user about
the image header error if it's greater than 4096 ( or even if the value
is not equal to 512, 1024, 2048 or 4096). This should be enough to eliminate
this kind of DoS vulnerability.
2. Directory Traversal vulnerability
In the case of this vuln, the only thing to do is to check all the files' and
directories' names. If there are any ".." strings found, they should be simply
removed from the name before the extraction process itself. It is also a nice
idea
not to run the WinImage program with administrative privileges, just to disable
the access of the most important windows directories like "Program Files",
"WINDOWS" etc ;>
== Vendor status ==
Vendor has been informed about these vulnerabilities, but not yet released
fixed program version.
== Disclaimer ==
This document and all the information it contains is provided "as is",
without any warranty. Author is not responsible for the misuse
of the information provided in this advisory. The advisory is
provided for educational purposes only.
Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.
Copyright (C) 2007 j00ru of the Vexillium.